Google says it's been applying pressure to get more sites to begin using HTTPS.

"For the past several years, we've moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption," Emily Schechter, Google's Chrome security product manager, says in a Thursday blog post. "And within the last year, we've also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as 'not secure. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as 'not secure.'"

Plug-ins are already available for many browsers, including Mozilla Firefox, that are designed to alert users when they're visiting a site via just HTTP. But it's not clear how quickly browsers beyond Chrome might also do this by default.

Life Since 2010

The shift to HTTPS is well underway.

Percent of page loads over HTTPS in Chrome by platform. (Source: Google)

At first, however, many worried that the extra processing power required to drive encryption might "slow down connections only slightly," as Facebook warned in 2012 when it finally adopted HTTPS by default, having already used it to secure pages that required a username or password. Although as security expert Ivan Ristic noted at the time, Facebook continued to offer "an opt-out for the crazies."

Flashback: Facebook offered HTTPS as an opt-in setting for some users beginning in 2011.

Facebook was following in the footsteps of Google, which in January 2010 made HTTPS the default for all access to Gmail.

Two months later, Pamela Jones Harbour, the outgoing commissioner of the U.S. Federal Trade Commission, called on large internet services, such as Microsoft's Hotmail, Facebook and Yahoo, to also begin using HTTPS. "Security needs to be a default in the cloud," she said.

And by July 2012, Google was reporting that it had seen almost no performance hit due to enabling HTTPS. Shortly thereafter, Twitter and Hotmail also began using HTTPS by default.

Current HTTPS Adoption

Since then, the move to HTTPS appears to be progressing well. Google says users of its Chrome browser are finding HTTPS:

68 percent of the time when using Android and Windows.

78 percent of of the time when using Mac OS X, iOS and Chrome OS.

Google says 81 of the top 100 websites - based on traffic volumes - use HTTPS by default.

The number of domains of the top 1 million that use HTTPS protocol by default (Source: Statoperator.com)

Google Offers Open Source Lighthouse

Many websites, however, have been kludged together over the years, which can make it difficult to trace when resources are being loaded using HTTP instead of HTTPS.

To help, Google's Schechter recommends the latest Node CLI version of the automated improvement tool for developers called Lighthouse. The open source tool is designed to help developers improve and maintain the quality of a web app.

"The new audit in Lighthouse helps developers find which resources a site loads using HTTP, and which of those are ready to be upgraded to HTTPS simply by changing the subresource reference to the HTTPS version," Schechter says.

Overview of Lighthouse from the May 2017 Google I/O conference

Regardless of the tools developers use to help them build more secure sites, the writing is clearly on the wall: The future is HTTPS.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.